Bug#909802: poppler: CVE-2018-16646 denial-of-service via crafted file
Moritz Mühlenhoff
jmm at inutil.org
Tue Nov 6 16:14:35 GMT 2018
On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote:
> Package: poppler
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for poppler.
>
> CVE-2018-16646[0]:
> | In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause
> | infinite recursion via a crafted file. A remote attacker can leverage
> | this for a DoS attack.
For jessie the wrong patches got applied. They are based on MR 67, which
didn't get merged in favour of the patch from MR 91.
On a more general notice: This bug has virtually no security impact, it's
hard too see why this change was made for an LTS release to begin with,
but at least wait until it's applied/fixed in unstable before backporting.
Cheers,
Moritz
More information about the Pkg-freedesktop-maintainers
mailing list